Set the permissions required to access a specific URL
JDK 1.8.0_144 spring-boot 1.5.10 spring-security 4.2.4
Obtain authority information in advance when logging in. (Because it's not there this time) This time it is assumed that you can already get ADMIN authority.
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
//...
}
Annotate the existing (isn't it?) SecurityConfig class
@EnableGlobalMethodSecurity(prePostEnabled = true)
To add.
--Controller method
@PreAuthorize("hasAuthority('ADMIN')")
//Controller
public void sampleAuth() {
//…
}
Annotation
@PreAuthorize("hasAuthority('ADMIN')")
If you add, this Controller method will only be accessible to users with "ADMIN" privileges.
Expressions are available For example, if you only want to authorize requests from users with [ADMIN] and [MEMBER] privileges @PreAuthorize("hasAuthority('ADMIN OR hasAuthority('MEMBER')") You can use it. In addition to this, [AND] [OR] [NOT (!)] Etc. can be used.
Recommended Posts